9:00 am–9:15 am
Opening Remarks and Best Paper Awards
General Chairs: Z. Berkay Celik, Purdue University, and Ning Zhang, Washington University in St. Louis
9:15 am–10:00 am
Keynote Presentation
Ten Years After the Jeep Hack: A Retrospective on Automotive Cybersecurity
Charlie Miller and Chris Valasek, Open RCE
A decade has passed since Miller and Valasek remotely hacked a Jeep to gain control over the computer systems of the vehicle, highlighting the vulnerabilities of connected cars and the potential dangers of cyberattacks on vehicles. This keynote will look back into how the vehicle compromise occurred and what has changed in the auto industry since this research was presented. It will also detail the trials and tribulations of the current automotive security ecosystem and finish off with a prediction of where Miller and Valasek see the industry going in the future, given the changing threat landscapes of the automotive world. You probably want to wear shoes, because this keynote is about to blow your socks off.
Chris Valasek is a computer security researcher. He rose to fame by reverse engineering the Windows heap as well as running the world’s oldest computer security conference SummerCon. He is perhaps best known for automotive security research where he demonstrated remote vulnerabilities in a Jeep Cherokee that led to a recall of 1.5 million vehicles. He is currently the Director of Cybersecurity at Cruise, a self-driving car company.
Charlie Miller is perhaps best known as being Chris Valasek’s friend.
10:00 am–10:30 am
Coffee and Tea Break
10:30 am–11:20 am
Vehicle Network Security
Stateful Behavior Inference and Runtime Enforcement for Vehicle Network Security
Achintya Desai, UC Santa Barbara; Ruochen Dai, University of Florida; Yanju Chen, UC Santa Barbara; Ky Ho, Oceanit; Austin Kee, University of Florida; Sophie Bulatovic, Oceanit; Md Shafiuzzaman, UC Santa Barbara; Ken (Yihang) Bai, University of Florida; Il Ung Jeong and David Siu, Oceanit; Tuba Yavuz, University of Florida; Tevfik Bultan, UC Santa Barbara
WIP: Intrusion Detection and Localization for CAN by Extracting Propagation Delay Features from Message Intervals
Zhaozhou Tang, Georgia Institute of Technology; Khaled Serag, Qatar Computing Research Institute; Saman Zonouz, Georgia Tech; Z. Berkay Celik and Dongyan Xu, Purdue University; Raheem Beyah, Georgia Institute of Technology
CANdid - An Open-Access Annotated Dataset of Vehicle CAN Bus Traffic
Tomas Howson, CSSM, School of Physics, Chemistry and Earth Sciences, University of Adelaide; Alexander Rohl, Defence Science and Technology Group, Australia; Matthew Roughan, School of Computer and Mathematical Sciences, University of Adelaide; Martin White and James Zanotti, CSSM, School of Physics, Chemistry and Earth Sciences, University of Adelaide
11:20 am–12:00 pm
Drone Security
ConfuSense: Sensor Reconfiguration Attacks for Stealthy UAV Manipulation
Alessandro Erba, KASTEL Security Research Labs, Karlsruhe Institute of Technology; John H. Castellanos, Hitachi Energy Research, Germany; Sahil Sihag, CISPA Helmholtz Center for Information Security; Saman Zonouz, Georgia Institute of Technology; Nils Ole Tippenhauer, CISPA Helmholtz Center for Information Security
WIP: Hijacking Attacks on UAV Follow-Me Systems in Realistic Scenarios
Jiarui Li, Joseph Brewington, Qingzhao Zhang, and Z. Morley Mao, University of Michigan
WIP: Evaluating the End-to-End Impact of False Localization Attacks on vSLAM-Based Autonomous Drones
Yuga Ebine, Waseda University; Kazuki Nomoto and Yuna Tanaka, Waseda University and Deloitte Tohmatsu Cyber LLC; Ryunosuke Kobayashi and Go Tsuruoka, Waseda University; Tatsuya Mori, Waseda University, RIKEN AIP, and NICT
12:00 pm–1:30 pm
Symposium Luncheon
1:30 pm–2:00 pm
Electric Vehicle Charging Security 1
EmuOCPP: Effective and Scalable OCPP Security and Privacy Testing
Soumaya Boussaha, SAP SE and EURECOM; Victor Fresno Gomez, EURECOM; Thomas Barber, SAP SE; Daniele Antonioli, EURECOM
Short: Breaking the Charge: Exploiting State Manipulation in EV Charging
Ce Zhou and Qiben Yan, Michigan State University; Zhiyan Yu, Washington University in St. Louis; Eshan Dixit, Michigan State University; Ning Zhang, Washington University in St. Louis; Huacheng Zeng, Michigan State University; Alireza Safdari Ghanhdari, Rectrix Inc
2:00 pm–2:45 pm
Autonomous Vehicle Privacy
You Can Drive But You Cannot Hide: Detection of Hidden Cellular GPS Vehicle Trackers
Moshe Chaim Satt, Donghan Hu, Patrick Zielinski, and Danny Yuxing Huang, New York University
WIP: Blurred Lines -- A GDPR-Compliant Framework for Anonymising Automotive Video Data
Luca Arnaboldi and Rithwik Vinod, University of Birmingham
Secure FLOATING - Scalable Federated Learning Framework for Real-time Trust in Mobility Data using Secure Multi-Party Computation and Blockchain
Junaid Ahmed Khan, Western Washington University; Kaan Ozbay, New York University
2:45 pm–3:15 pm
Coffee and Tea Break
3:15 pm–4:10 pm
Hardware Security
CarPlay at Risk: Unveiling Security Threats of Third-Party Infotainment Adapters
Jun Yeon Won, Wenzhuo Wang, Keith Redmill, and Zhiqiang Lin, Ohio State University
SoK: Stealing Cars Since Remote Keyless Entry Introduction and How to Defend From It
Tommaso Bianchi and Alessandro Brighente, University of Padova; Mauro Conti, University of Padova and Delft University of Technology; Edoardo Pavan, University of Padova
Threat Analysis and Detection in In-Vehicle Infotainment System Leveraging MITRE ATT&CK and Suricata
Yeonjae Kang and Huy Kang Kim, Korea University
4:10 pm–4:20 pm
Short Break
4:20 pm–5:20 pm
Tutorial
Session Chair: Mert Pesé, Clemson University
Hands-On Exploration of J1939 and NMEA 2000 Networks and Their Security Flaws
Jeremy Daily and Rik Chatterjee, Colorado State University
This tutorial provides a hands-on introduction to SAE J1939 and NMEA 2000 communication standards, foundational to networking in commercial vehicles and marine platforms. Participants will explore protocol architecture, including frame formats, addressing, arbitration, and multi-packet transport, through guided decoding exercises using real network traces. The session then shifts to protocol-level vulnerabilities rooted in design flaws—such as spoofing, denial-of-service, and control flow disruption—with live demonstrations on a virtual platform. Attendees will gain practical experience using open-source tools to assess vulnerabilities and inform safer protocol implementation.
6:00 pm–7:30 pm
VehicleSec '25 Demo/Poster Session and Happy Hour
8:50 am–9:00 am
Opening Remarks and Demo Awards
General Chairs: Z. Berkay Celik, Purdue University, and Ning Zhang, Washington University in St. Louis
9:00 am–10:00 am
Keynote Presentation
What Vehicle Security Can Learn from Medical Device Security
Kevin Fu, Northeastern University
Vehicles, medical devices, and other cyber-physical systems increasingly rely on sensors to make safety-critical decisions in real time. In my lab, we study how attackers can exploit the physics of sensors and analog interfaces to manipulate computation at the most fundamental level. But this talk isn’t about that research.
Instead, I’ll focus on lessons from nearly two decades of medical device security research, and this can teach us about securing the next generation of vehicles. Medical devices, such as pacemakers and infusion pumps, share surprising similarities with modern automotive systems. Both involve long product lifecycles, real-time embedded software, RF communication, complex supply chains, and safety. Both also operate in regulatory environments that often struggle to keep pace with technical innovation. However, only medical device security is written into U.S. statute (i.e., law rather than just regulatory policy).
The medical device industry has faced repeated challenges such as coordinated vulnerability disclosures, government-mandated recalls, supply chain risk management, and pressure to align safety engineering with modern security practices. The FDA’s evolving regulatory framework, along with increasing transparency around postmarket cybersecurity, offers valuable lessons in how to build trust and resilience into safety-critical systems.
This talk will examine how the healthcare sector approaches threat modeling, security engineering, postmarket risk management, and incident response, including both successes and missteps. It will also explore how regulators, researchers, and industry engineers collaborated, often in error but never in doubt, to improve security outcomes in deployed systems. My aim is to share practical insights for those designing or securing automotive platforms so we can avoid repeating the same mistakes and accelerate the maturity of vehicle cybersecurity before the industry finds itself in crisis.
Professor Kevin Fu is a global leader at the intersection of healthcare, cybersecurity, electronics, and medical device innovation. He is a Professor at Northeastern University in Boston with joint appointments in Electrical & Computer Engineering, the Khoury College of Computer Sciences, and Bioengineering. He also serves as Director of the Archimedes Center for Healthcare and Medical Device Cybersecurity.
Professor Fu’s research vision is a world where science-based security is built in by design to all embedded systems, including medical devices, health care delivery, autonomous transportation, manufacturing, and the Internet of Things. His research lab focuses on analog cybersecurity, understanding and defending against threats to the physics of computation and sensing.
He has delivered over 100 invited talks to audiences worldwide on topics such as medical device security, embedded systems, and the physics of cybersecurity. Since his pioneering research on pacemaker and defibrillator vulnerabilities more than 17 years ago, he has helped shape the field of medical device cybersecurity. He advises medical device manufacturers, pharmaceutical companies, and startups on secure system design to seek FDA clearance or approval---and how to avoid FDA recalls for cybersecurity deficiencies.
Professor Fu previously served as the first Acting Director of Medical Device Security at U.S. Food and Drug Administration. He has advised the White House, Congress, NIST, and private-sector leaders on strengthening cybersecurity for critical infrastructure and healthcare technologies. He also leads national efforts in developing interdisciplinary medical device cybersecurity curricula in partnership with academic, clinical, and industry stakeholders.
Professor Fu was recognized as an ACM Fellow, IEEE Fellow, AAAS Fellow, and Sloan Research Fellow, and NSF CAREER Award recipient. He received the MIT Technology Review TR35 Innovator of the Year, Fed100 Award, and the IEEE Security and Privacy Test of Time Award, and earned best paper awards from USENIX Security, IEEE S&P, and ACM SIGCOMM. He chairs the USENIX Security Test of Time Awards Selection Committee. Prof. Fu received his BS, MEng, and PhD from MIT.
10:00 am–10:30 am
Coffee and Tea Break
10:45 am–11:15 am
Autonomous Vehicle Security
Beyond the Glow: Understanding Luminescent Marker Behavior Against Autonomous Vehicle Perception Systems
Arkajyoti Mitra, University of Texas at Arlington; Pedram MohajerAnsari, Clemson University; Afia Anjum and Paul Agbaje, University of Texas at Arlington; Mert D. Pesé, Clemson University; Habeeb Olufowobi, University of Texas at Arlington
WIP: Understanding the Mechanisms Behind NDT-Based Localization Vulnerabilities in Autonomous Driving
Yuna Tanaka and Kazuki Nomoto, Waseda University and Deloitte Tohmatsu Cyber LLC; Ryunosuke Kobayashi and Go Tsuruoka, Waseda University; Tatsuya Mori, Waseda University, NICT, and RIKEN AIP
11:15 am–12:00 pm
Electric Vehicle Charging Security 2
Oblivious Plug&Charge: A Privacy-Preserving EV Charging Scheme based on ORAM
Timm Lauser, Darmstadt University of Applied Sciences; Nergiz Yuca, University of Passau; Dustin Kern, Darmstadt University of Applied Sciences; Nikolay Matyunin, Honda Research Institute Europe GmbH; Stefan Katzenbeisser, University of Passau; Christoph Krauß, Darmstadt University of Applied Sciences
DrainDead: Emptying Batteries of Parked Electric Vehicles
Jakob Löw and Dominik Bayerl, Technische Hochschule Ingolstadt; Kevin Mayer, Friedrich-Alexander Universität Erlangen-Nürnberg; Hans-Joachim Hof, Technische Hochschule Ingolstadt
Short: PIBuster: Exploiting a Common Misconfiguration in CCS EV Chargers
Marcell Szakály, Sebastian Köhler, and Ivan Martinovic, University of Oxford
12:00 pm–1:30 pm
Symposium Luncheon
1:30 pm–2:00 pm
Human Aspects of Vehicle Security and Privacy
Human Drivers' Awareness of Utility and Privacy Risks of Vehicle-to-Everything Communication: A Driving Simulator Study
Zekun Cai, Rao Li, and Aiping Xiong, The Pennsylvania State University
Short: Unencrypted Flying Objects: Security Lessons from University Small Satellite Developers and Their Code
Rachel McAmis and Gregor Haas, University of Washington; Mattea Sim, Indiana University; David Kohlbrenner and Tadayoshi Kohno, University of Washington
2:00 pm–2:40 pm
Vehicle Security Analysis
WIP: QKSAN: Towards Multiple Sanitizers for In-vehicle COTS OS Kernels
Yalong Zou, Ziqiu Cheng, and Dongliang Mu, Huazhong University of Science and Technology
Short: APSFUZZ: Simulation-Based Fuzzing Testing for Automated Parking Systems
Tong Bu, Jiarun Dai, Jiaqi Luo, Songyang Peng, Zongan Huang, and Min Yang, Fudan University
WIP: A Black Box System for Automotive Digital Forensics
Muhammad Yusuf Bambang Setiadji, Eirini Anthi, and Theodoros Spyridopoulos, Cardiff University; Gareth Davies, Thales UK
2:40 pm–3:10 pm
Coffee and Tea Break
3:10 pm–4:10 pm
AI-Based Attacks and Defenses
WIP: Evaluation of Threats and Impacts of HD Map Tampering Attacks in Autonomous Driving
Miyu Sato and Ryunosuke Kobayashi, Waseda University; Kazuki Nomoto and Yuna Tanaka, Waseda University and Deloitte Tohmatsu Cyber LLC; Go Tsuruoka, Waseda University; Tatsuya Mori, Waseda University, NICT, and RIKEN AIP
WIP: From Detection to Explanation: Using LLMs for Adversarial Scenario Analysis in Vehicles
David Fernandez, Pedram MohajerAnsari, Amir Salarpour, Cigdem Kokenoz, Bing Li, and Mert D. Pesé, Clemson University
Lightweight Deep Learning for Cyber-Resilient Heavy Vehicles: Efficient Signal Reconstruction on Embedded Systems
Maxwel Bar-on, Colorado State University; Hossein Shirazi, San Diego State University; Indrakshi Ray and Jeremy Daily, Colorado State University
WIP: Learning Adversarial Attacks on Adaptive Traffic Signal Control Systems Under Cooperative Perception
Wangzhi Li, Tianheng Zhu, and Yiheng Feng, Purdue University
4:10 pm–4:20 pm
Short Break
4:20 pm–5:20 pm
Tutorial
Session Chair: Mert Pesé, Clemson University
Crash, Fail-safe, or Recover: Securing Robotic Autonomous Vehicles
Pritam Dash and Karthik Pattabiraman, University of British Columbia
This tutorial explores how physical sensor attacks compromise the safety and control of Robotic Autonomous Vehicles (RAVs), with a focus on state estimation failures. It will present and compare attack recovery techniques for both traditional PID-based and deep reinforcement learning (Deep-RL) controlled RAVs, including software sensors, feed-forward control, and multi-objective adversarial training. Through a mix of lectures and hands-on virtual activities, participants will learn to analyze attacks and apply resilient control strategies across different RAV architectures.
5:20 pm–5:30 pm
Closing Remarks
General Chairs: Z. Berkay Celik, Purdue University, and Ning Zhang, Washington University in St. Louis